Cannot get secure link with expires to work

Duke Dougal dukedougal at gmail.com
Tue Apr 30 23:14:11 UTC 2019 

Hello I've tried every possible way I can think of to make secure links
work with expires.  I've tried different versions of nginx, I've tried on
Ubuntu, tried on Centos, tried generating the hash using openssl, tried
using Python.  I've followed every tutorial I can find.  So I must be doing
something really wrong.

I am trying to use the nginx secure link module
http://nginx.org/en/docs/http/ngx_http_secure_link_module.html

I want to make secure links using expires.

No matter what I try, I cannot get it to work when I try to uses the expire
time.

It works fine when I do a simple secure link based purely on the link,
without also the expire time or the ip address.

Can anyone suggest what I am doing wrong?  Or can anyone point me to
instructions that show every detail of how to do it and have been recently
tested?

thanks!

The command to generate the key:

   ubuntu at ip-172-31-34-191:/var/www$ echo -n '2147483647/html/index.html
secret' |     openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =
   FsRb_uu5NsagF0hA_Z-OQg

The command that fails:

   ubuntu at ip-172-31-34-191:/var/www$ curl
http://127.0.0.1/html/index.html?md5=FsRb_uu5NsagF0hA_Z-OQgexpires=2147483647
   <html>
   <head><title>403 Forbidden</title></head>
   <body bgcolor="white">
   <center><h1>403 Forbidden</h1></center>
   <hr><center>nginx/1.14.2</center>
   </body>
   </html>

Here's the relevant part of the nginx conf file:

   ubuntu at ip-172-31-34-191:/var/www$ sudo cat
 /etc/nginx/sites-enabled/theapp_nginx.conf
   ...SNIP
   location /html/ {
       secure_link $arg_md5,$arg_expires;
       secure_link_md5 "$secure_link_expires$uri secret";

       if ($secure_link = "") {
           return 403;
       }

       if ($secure_link = "0") {
           return 410;
       }
                   try_files $uri $uri/ =404;
   }
   ...SNIP

Here's the nginx version info:

   ubuntu at ip-172-31-34-191:/var/www$ nginx -V
   nginx version: nginx/1.14.2
   built with OpenSSL 1.1.0g  2 Nov 2017
   TLS SNI support enabled
   configure arguments: --with-cc-opt='-g -O2
-fdebug-prefix-map=/build/nginx-x0ix7n/nginx-1.14.2=.
-fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time
-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro
-Wl,-z,now -fPIC' --prefix=/usr/share/nginx
--conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock
--pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules
--http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug
--with-pcre-jit --with-http_ssl_module --with-http_stub_status_module
--with-http_realip_module --with-http_auth_request_module
--with-http_v2_module --with-http_dav_module --with-http_slice_module
--with-threads --with-http_addition_module --with-http_flv_module
--with-http_geoip_module=dynamic --with-http_gunzip_module
--with-http_gzip_static_module --with-http_image_filter_module=dynamic
--with-http_mp4_module --with-http_perl_module=dynamic
--with-http_random_index_module --with-http_secure_link_module
--with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic
--with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module
--with-stream_ssl_preread_module
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-headers-more-filter
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-auth-pam
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-cache-purge
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-dav-ext
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-ndk
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-echo
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-fancyindex
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/nchan
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-lua
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/rtmp
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-uploadprogress
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-upstream-fair
--add-dynamic-module=/build/nginx-x0ix7n/nginx-1.14.2/debian/modules/http-subs-filter
   ubuntu at ip-172-31-34-191:/var/www$
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20190501/7f7baa40/attachment.html>

More information about the nginx mailing list